Flexible architecture and instruction for advanced encryption standard (aes)

ABSTRACT

A flexible aes instruction set for a general purpose processor is provided. The instruction set includes instructions to perform a “one round” pass for aes encryption or decryption and also includes instructions to perform key generation. An immediate may be used to indicate round number and key size for key generation for 128/192/256 bit keys. The flexible aes instruction set enables full use of pipelining capabilities because it does not require tracking of implicit registers.

CLAIM OF PRIORITY

This application claims the priority filing benefit of, is acontinuation of, and incorporates by reference, U.S. patent applicationSer. No. 14/572,620 entitled “FLEXIBLE ARCHITECTURE AND INSTRUCTION FORADVANCED ENCRYPTION STANDARD (AES)” filed on Dec. 16, 2014, which is acontinuation application of U.S. patent application Ser. No. 14/014,091,entitled “FLEXIBLE ARCHITECTURE AND INSTRUCTION FOR ADVANCED ENCRYPTIONSTANDARD (AES)” filed Aug. 29, 2013 which is a continuation of U.S.patent application Ser. No. 11/729,199, entitled “FLEXIBLE ARCHITECTUREAND INSTRUCTION FOR ADVANCED ENCRYPTION STANDARD (AES)” filed Mar. 28,2007 and now patented as U.S. Pat. No. 8,538,015 issued on Sep. 17,2013.

FIELD

This disclosure relates to cryptographic algorithms and in particular tothe advanced encryption standard (AES) algorithm.

BACKGROUND

Cryptology is a tool that relies on an algorithm and a key to protectinformation. The algorithm is a complex mathematical algorithm and thekey is a string of bits. There are two basic types of cryptologysystems: secret key systems and public key systems. A secret key systemalso referred to as a symmetric system has a single key (“secret key”)that is shared by two or more parties. The single key is used to bothencrypt and decrypt information.

The Advanced Encryption Standard (AES), published by the NationalInstitute of Standards and Technology (NIST) as Federal InformationProcessing Standard (FIPS) 197 is a secret key system. AES is asymmetric block cipher that can encrypt and decrypt information.

Encryption (cipher) performs a series of transformations using thesecret key (cipher key) to transforms intelligible data referred to as“plaintext” into an unintelligible form referred to as “cipher text”.The transformations in the cipher include: (1) Adding a round key (valuederived from the cipher key) to the state (a two dimensional array ofbytes) using a Exclusive OR (XOR) operation; (2) Processing the stateusing a non-linear byte substitution table (S-Box) (3) Cyclicallyshifting the last three rows of the state by different offsets; and (4)Taking all of the columns of the state and mixing their data(independently of one another) to produce new columns.

Decryption (inverse cipher) performs a series of transformations usingthe cipher key to transform the “cipher text” blocks into “plaintext”blocks of the same size. The transformations in the inverse cipher arethe inverse of the transformations in the cipher.

The Rijindael algorithm is specified in the AES standard to process datablocks of 128 bits, using cipher keys with lengths of 128, 192 and 256bits. The different key lengths are typically referred to as AES-128,AES-192 and AES-256.

The AES algorithm transforms the plaintext into cipher text or ciphertext into plaintext in 10, 12, or 14 consecutive rounds, with the numberof rounds dependent on the length of the key.

BRIEF DESCRIPTION OF THE DRAWINGS

Features of embodiments of the claimed subject matter will becomeapparent as the following detailed description proceeds, and uponreference to the drawings, in which like numerals depict like parts, andin which:

FIG. 1 is a block diagram of a system that includes an embodiment of aflexible architecture and instruction for performing AES encryption anddecryption in a general purpose processor according to the principles ofthe present invention;

FIG. 2 is a block diagram of an embodiment of the processor shown inFIG. 1;

FIG. 3 is a block diagram that includes an embodiment of the executionunit shown in FIG. 2 for performing AES encryption and decryptionaccording to the principles of the present invention;

FIG. 4 is a flow graph illustrating the flow of an aes encrypt roundinstruction through the execution unit shown in FIG. 3;

FIG. 5 is a flow graph illustrating the flow of an aes encrypt lastround instruction through the execution unit shown in FIG. 3;

FIG. 6 is a flow graph illustrating the flow of an aes decrypt roundinstruction through the execution unit shown in FIG. 3;

FIG. 7 is a flow graph illustrating the flow of an aes decrypt lastround instruction through the execution unit shown in FIG. 3; and

FIG. 8 illustrates an embodiment of an aes round instruction withimmediate byte that may be used to generate round keys and performencryption and decryption.

Although the following Detailed Description will proceed with referencebeing made to illustrative embodiments of the claimed subject matter,many alternatives, modifications, and variations thereof will beapparent to those skilled in the art. Accordingly, it is intended thatthe claimed subject matter be viewed broadly, and be defined only as setforth in the accompanying claims.

DETAILED DESCRIPTION

The Advanced Encryption Standard (AES) algorithm is a compute intensivealgorithm that is typically performed in software or in a specialpurpose processor. Thus, encryption is typically only used forencrypting a subset of the information stored in computers, for example,information that may be classified as “top secret”. However, there is aneed to encrypt more of the information that is stored on computers. Forexample, if all information stored on a mobile computer was encrypted,this information would be protected in the event that the mobilecomputer was stolen.

AES is a block cipher that operates on a 128-bit block of bits with akey size of 128, 192 or 256 bits. A sequence of operations is iteratedfor a number of rounds (10, 12 or 14) based on the key size.

The generation of the keys for each round may be performed on the fly(that is, just prior to each round) using implicit 128-bit registers tostore the round key. However, the use of implicit registers may reducethe performance of x86 register-based processors due to dependency on aresult of a previous instruction.

There are some applications, for example, an application that processesnetwork packets that may have different keys per flow that benefit fromon-the-fly key generation. There may be other applications where greaterperformance is required with the single key, for example, a single keythat is used for encrypting/decrypting contents of a disk drive. Thus,there arises a need for flexibility of key generation. An embodiment ofthe invention provides a flexible architecture and instruction forperforming AES encryption and decryption in a general purpose processor.

FIG. 1 is a block diagram of a system 100 that includes an embodiment ofa flexible architecture and instruction for performing AES encryptionand decryption in a general purpose processor according to theprinciples of the present invention. The system 100 includes a processor101, a Memory Controller Hub (MCH) or (Graphics Memory Controller Hub(GMCH)) 102 and an Input/Output (I/O) Controller Hub (ICH) 104. The MCH102 includes a memory controller 106 that controls communication betweenthe processor 101 and memory 108. The processor 101 and MCH 102communicate over a system bus 116.

The processor 101 may be any one of a plurality of processors such as asingle core Intel® Pentium IV® processor, a single core Intel Celeronprocessor, an Intel® XScale processor or a multi-core processor such asIntel® Pentium D, Intel® Xeon® processor, or Intel® Core® Duo processoror any other type of processor.

The memory 108 may be Dynamic Random Access Memory (DRAM), Static RandomAccess Memory (SRAM), Synchronized Dynamic Random Access Memory (SDRAM),Double Data Rate 2 (DDR2) RAM or Rambus Dynamic Random Access Memory(RDRAM) or any other type of memory.

The ICH 104 may be coupled to the MCH 102 using a high speedchip-to-chip interconnect 114 such as Direct Media Interface (DMI). DMIsupports 2 Gigabit/second concurrent transfer rates via twounidirectional lanes.

The ICH 104 may include a storage I/O controller 110 for controllingcommunication with at least one storage device 112 coupled to the ICH104. The storage device may be, for example, a disk drive, Digital VideoDisk (DVD) drive, Compact Disk (CD) drive, Redundant Array ofIndependent Disks (RAID), tape drive or other storage device. The ICH104 may communicate with the storage device 112 over a storage protocolinterconnect 118 using a serial storage protocol such as, SerialAttached Small Computer System Interface (SAS) or Serial AdvancedTechnology Attachment (SATA).

The processor 101 includes an AES function 103 to perform aes encryptionand decryption operations. The AES function 103 may be used to encryptor decrypt information stored in memory 108 and/or stored in the storagedevice 112.

FIG. 2 is a block diagram of an embodiment of the processor 101 shown inFIG. 1. Processor 101 includes a fetch and decode unit 206 for decodingprocessor instructions received from Level 1 (L1) instruction cache 202.Data to be used for executing the instruction may be stored in registerfile 208. In one embodiment, the register file 208 includes a pluralityof 128-bit registers, which are used by an aes instruction to store datafor use by the aes instruction.

In one embodiment, the register file is a group of 128-bit registerssimilar to the 128-bit MMX registers provided in Intel Pentium MMXProcessors that have a Streaming (Single Instruction Multiple Data(SIMD)) Extension (SSE) Instruction set. In a SIMD processor, data isprocessed in 128-bit blocks with one 128-bit block loaded at one time.

The fetch and decode unit 202 fetches macroinstructions from L1instruction cache 202, decodes the macroinstructions and breaks theminto simple operations called micro operations (μops) that may be storedin microcode Read Only Memory (ROM) 214. The execution unit 210schedules and executes the micro operations. In the embodiment shown,the aes function 103 in the execution unit 210 includes micro operationsfor an aes instruction set. The retirement unit 212 writes the resultsof the executed instructions to registers or memory. A round key 214used by the aes instruction may be stored in L1 data cache 204 andloaded into the execution unit 210 for use by the micro operations toexecute an aes instruction in the aes instruction set. Storing the roundkey 214 in the data cache 204 protects the round key from side channelattacks, for example, attempts to obtain the round key in order to getaccess to encrypted information stored in the system 100.

FIG. 3 is a block diagram that illustrates an embodiment of theexecution unit 210 shown in FIG. 2 for performing AES encryption anddecryption according to the principles of the present invention. FIG. 3will be described in conjunction with FIG. 2.

After an aes instruction has been decoded by the fetch and decode unit206, the execution of an aes instruction by the execution unit 210involves performing the micro operations associated with the aesinstruction that may be stored in the microcode ROM 214.

A flexible AES instruction set according to an embodiment of the presentinvention allows a programmer to make performance tradeoffs with respectto the amount of data to be processed, and memory bandwidth andcapacity.

Some applications may continuously use the same key. In applications inwhich performance is very important, a tradeoff can be made in terms ofpre-computing a key schedule for the key (that is, a round key perround) once and storing it in memory. Other applications may want tominimize the amount of memory used to store the key schedule while stillachieving good performance on multi-block operations. For suchapplications the key schedule may be pre-computed for multiple blocksbefore being processed. The memory footprint may be further minimized byonly storing the cipher key or the inverse cipher key, and then derivingthe other as necessary at the expense of some performance.

In an x86-type processor, the area and the number of execution portsthat are available for AES round key operations and AES schedulingoperations constrain the performance of an AES instruction. In a systemin which key expansion is required for every block encryption,performance may be improved by placing the AES scheduling operations andthe AES round key operations on separate execution ports. However,separate execution ports and the additional area for controlling theseparate ports may not be available in an x86-type processor.

In an embodiment, an aes instruction set is provided that includesseparate aes instructions for performing an encryption round, adecryption round, an encryption last round, a decryption last round andfor computing an encryption round key or a decryption round key. In oneembodiment there are six aes instructions in the aes instruction set.Each aes round instruction has a unique operation code (opcode). The aesround instructions in the aes instruction set for one embodiment for afixed width round key (for example, 128-bits) are shown below in Table1.

TABLE 1 AESENCRYPTRound xmmsrcdst xmm  Input: data (=destination), roundkey  Output: data after transformation through the AES round using theround key AESENCRYPTLastRound xmmsrcdst xmm  Input: data (=destination),round key  Output: data after transformation through the AES last roundusing the round key AESDECRYPTRound xmmsrcdst xmm  Input: data(=destination), round key  Output: data after transformation through theAES round using the round key AESDECRYPTLastRound xmmsrcdst xmm  Input:data (=destination), round key  Output: data after transformationthrough the AES last round using the round key AESNextRoundKey xmmsrc1,2xmm dst (immediate)  Input: low 128 bits of key, high 128 bits of key,indicator for round number.  Output: next round key derived from theinput AESPreviousRoundKey xmmsrc1,2 xmm dst (immediate)  Input: low 128bits of key, high 128 bits of key, indicator for round number  Output:previous round key derived from the input

The aes instruction set includes four aes round instructions (encrypt,decrypt, encrypt last round, decrypt last round) and two aes round keyinstructions (next round key and previous round key). The aes roundinstructions in the aes instruction set include single round operationsto perform encryption and decryption round operations that are to beused for all rounds but the last round. For example, in theAESENCRYPTRound single round instruction in Table 1, the input data isstored in a 128-bit register (xmmsrcdst) and the round key stored inanother 128-bit register (xmm). This instruction performs an aes roundoperation on input data (source) that is stored in the 128-bit xmmsrcdstregister and overwrites the input data stored in the 128-bit xmmsrcdstregister with the result of the execution of the round operation. Thusxmmsrcdst first stores the input data and later stores the result of theaes round operation.

The aes instruction set also includes an aes decryption instruction fora last decryption round and an aes encryption instruction for a lastencryption round. For example, in the 'AESENCRYPTLastRound single roundinstruction in Table 1, the input data is stored in a 128-bit register(xmmsrcdst) and the round key stored in another 128-bit register (xmm).This instruction performs an aes round operation on input data (source)that is stored in the xmmsrcdst register and overwrites the input datastored in the xmmsrcdst register with the result of the execution of theround operation. Thus xmmsrcdst first stores the input data and laterstores the result of the round operation. The xmm register stores theround key for the round operation.

In another embodiment, the round and last round instructions, forexample, 'AESENCRYPTRound and AESENCRYPTLastRound may take the inputfrom memory (m/128) instead of from the register file 304, for example,the aes round instruction may be AESENCRYPTRound xmmsrcdst m/128.

The other two aes instructions in the aes instruction set generate around key for an aes round dependent on the size of the key, that is,128-bits, 192-bits or 256-bits. One of the aes round key instructionsgenerates a round key for use in an encryption operation and the otheraes round key instruction generates a round key for use in a decryptionoperation. The immediate field in the AESNextRoundKey and theAESPreviousRoundKey instructions specify the size of the key {128, 192,256}.

In yet another embodiment, instead of an immediate field, the differentkey sizes may be implemented as separate instructions each having aunique operation code. In this embodiment, the number of aes round keyinstructions includes three separate instructions for each round keyoperation, for example, AESNextRoundKey 128 AESNextRoundKey 192 andAESNextRoundKey 256 and there would be a similar set of threeinstructions for AESPreviousRoundKey. In this embodiment, the totalnumber of instructions in the instruction set is 10 instead of 6 in thepreviously discussed embodiment.

The register file 304 has a plurality of 128-bit registers which may beused by the aes instructions in the aes instruction set. The 128-bitregisters may store source operand(s), round keys and the result of theaes instruction. For the first round, the aes instruction receives asource operand that may be 128-bit of plaintext to be encrypted or128-bits of cipher text to be decrypted. A key for generating a keyschedule for a 128-bit, 192-bit or 256-bit key may be stored in any ofthe 128-bit registers 308 in the register file 304. The round keys mayalso be stored in any of the 128-bit registers 308 in the register file.All of the instructions use registers in the register file and may alsotake input directly from memory as discussed earlier.

An example of source code that uses an embodiment of the aes instructionset shown in Table 1 is shown in Table 2 below. In the example,performance is optimized in an application for performing encryptionthat uses the same key for many blocks. One such application is the useof a single key for encrypting contents of a disk in which the same keyis used for encrypting all of the data prior to being stored on thedisk. In the example, AES-128 encryption is performed.

The size of the key may be 128-bits, 192-bits or 256-bits. The number ofrounds to be performed (n) may be 1, 10, 12 or 14 dependent on the sizeof the key with each round key being a fixed size (128-bits). With anumber of rounds value of 10, 12, 14, the aes micro operations mayperform standard aes encryption and decryption for key sizes of128-bits, 192-bits or 256-bits.

When the same key is used for many blocks, the round key for each round(key schedule) may be pre-computed and stored in memory (for example,level 1 data cache 204) so that the same key schedule does not have tobe recomputed prior to an encryption/decryption operation on each block.

TABLE 2   RK[0] = Input Key For i = 1..10  RK [i] = AESNextRoundKey(RK[i-1]) End STATE = Input Block STATE = STATE xor RK[0] For i = 1..9 STATE = AESENCRYPTRound (STATE, RK[i]) End STATE = AESENCRYPTLastRound(STATE, RK[10])

An array (RK) having 10 elements is used to store the key schedule forthe key. The input key for AES-128 encryption is stored in RK[0] and the9 round keys RK[0]-RK[1] are pre-computed through a call to theAESNextRoundKey instruction from the aes instruction set. TheAESNextRoundKey instruction computes the next round based on the currentround key. The pre-computed round keys for the key schedule may bestored in round key 214 in level 1 data cache 204.

In this example, as the portion of the key schedule (expanded key), thatis the round key for the round is input directly from the register file304, an exclusive OR (XOR)operation is performed on the state and keyprior to entering the loop for performing the aes rounds. For each round1 through 9, the AESENCRYPTRound instruction from the aes instructionset is called to perform the aes round operation for one round. For thelast round (round 10) the AESNECYRPTLastRound instruction from the aesinstruction set is called to perform the aes round operation for thelast round.

Information to be encrypted or decrypted by the aes instruction isloaded into a source/destination register 306 in the register file 304prior to issuing the first aes instruction to start an encrypt ordecrypt operation. The key to be used to encrypt/decrypt the informationin the source register 306 is stored in one or more other registers 308in the register file 308. In the case of a 128-bit key, the entire128-bits of the key are stored in any one of the other 128-bit registersin the register file 304. For key sizes greater than 128 bits, the mostsignificant bits (greater than 128 bits) are stored in another one ofthe 128-bit registers.

In the example shown in Table 2, the round key for each round ispre-computed based on the key and may be stored in level 1 data cache204 prior to being loaded into any one of the registers 308 in theregister file 304. The key for each round may also be stored in one ormore registers in the register file 304 or may be stored in round key214 in level 1 data cache 204.

AES has a fixed block size of 128 bits and a key size of 128, 192 or 256bits and operates on a 4×4 array of bytes (that is, 16 bytes (128-bitfixed block size)), which is referred to as the ‘state’. The AESalgorithm transforms a 128-bit plaintext block into a 128-bit block ofcipher text (encrypts) or a 128-bit block of cipher text into a 128-bitblock of plaintext (decrypts) in 10, 12, or 14 consecutive rounds, withthe number of rounds dependent on the key size (128, 192 or 256-bits).

Prior to performing the per round encryption or decryption operation,the execution unit 210 retrieves the state and the key which are storedin the register file 304. Each encryption/decryption round operation isperformed using the micro operations for the aes instruction stored inthe key scheduler 302 in the Read Only Memory (ROM) 214. In theembodiment shown, the state (128-bit block state) is stored in register306 and the key is stored in one or more of the other registers 308 inthe register file 304. After the execution of the aes instruction iscomplete, the resulting state is stored in register 306 in the registerfile 304. The state may be an intermediate round date to be used by anext aes round or the final result of the AES encryption or decryptionoperation.

In the embodiment shown, a key scheduler 302 generates the round key tobe used in an aes round. The key scheduler 302 may be implemented asmicrocode operations and may include microcode operations to perform thesequence of operations for generating round keys for 128-bit, 196-bitand 256-bit keys as defined by FIPS Publication 197.

In another embodiment, the key scheduler may be implemented as ahardware state machine sequence in the execution unit 210. In yetanother embodiment, some portion of the key scheduler may be implementedas microcode operations stored in the microcode ROM 214 and theremainder of the key scheduler may be implemented as a hardware statemachine sequence in the execution unit 210.

The key scheduler 302 expands the n-bytes of a key into b-bytes of anexpanded key (key schedule) with the first n-bytes of the expanded keybeing the original key. For example, for a 128-bit key, the 128-bit keyis expanded into a 176-bytes expanded key, that is, 11×16-bytes(128-bits), with the first 16-bytes being the original 128-bit key, andthus the number of rounds is 10. The 24 bytes of a 192-bit key areexpanded into 208 bytes (13×16 bytes) to provide 12 “round keys” one foreach of the 12 rounds and the 32 bytes of a 256-bit key are expandedinto 240 bytes (15×16 bytes) to provide 14 “round keys” one for each ofthe 14 rounds.

Upon decoding the operation code (opcode) in an aes instruction, anumber of parameters to be used to control the flow in the aesinstruction for one aes round are stored in control logic 322. Theparameters include the type of operation (encryption or decryption) andwhether it is a last round.

Aes round logic 324 may include micro operations for the followingstages: block state 314, s-box/inverse S-box 316, shift rows 316 and mixinverse, mix columns or null (referred to as “mix columns”) 320 and addround key 326.

In block state 314, the 128-bit input (state) to the aes round logic 324is added with a key (128-bit portion of the expanded key associated withthe round) using bitwise XOR to produce a 128-bit intermediate value(state).

In the S-box/inverse S-box 316, each byte of this 128-bit intermediatevalue is substituted with another byte value that may be stored andretrieved from a lookup table also referred to as a substitution box or“S-Box”. The S-box takes some number of input bits, m, and transformsthem into some number of output bits, n and is typically implemented asa lookup table. A fixed lookup table is typically used. This operationprovides non-linearity through the use of the inverse function overGalois Field (GF)(2⁸). For example, the n-bit output may be found byselecting a row in the lookup table using the outer two bits of them-bit input, and selecting a column using the inner bits of the m-bitinput.

In Shift Rows 318, the results from S-box/inverse S-box 316 passesthrough a bit-linear transform in which bytes in each row of the 4×4array (128-bit (16 bytes) state) received from the Sub Bytes stage areshifted cyclically to the left. The number of places each byte isshifted differs for each row in the 4×4 array.

In Mix Columns 320, the results from Shift Rows 320 passes through abit-linear transform in which each column of the 4×4 array (state) istreated as a polynomial over a binary Galois Field (GF)(2⁸) and is thenmultiplied modulo x⁴+1 with a fixed polynomial c(x)=3x³+x²+x+2. A lastaes round differs from the other aes rounds in that it omits Mix Columns320.

Add Round Key 324 after the Mix Columns stage 320 performs an exclusiveOR function on the round key from the expanded key and the result ofShift Rows 318 or Mix Columns 320 for the aes round.

For example, the following aes instruction may be issued to perform oneround of aes decryption:

AESDECRYPTRound xmmsrcdst xmm

This example performs a 128-bit AES encrypt round operation with a keywhose expanded key is represented as {RK[1], RK[2], RK[10]}. The roundkey may be generated by issuing a AESPreviousRoundKey xmmsrcl, 2 xmm dst(immediate) instruction prior to issuing the AESDECRYPTRoundinstruction. The round key may be loaded directly into the block state314 from Level 1 data cache 204 or may first be stored in a register(xmm) in the register file 304 and then loaded into the block state 314from the register.

When a different key is used to encrypt/decrypt each block, for example,in the case of a network interface controller (NIC) that isencypting/decrypting data packets, the round key may computed on-the-flyprior to performing encryption/decryption for each round as shown in thepseudo code below in Table 3 for AES-128 encryption:

TABLE 3   RK[0] = Input Key STATE = Input Block STATE = STATE xor RK[0]For i = 1..9  RK [i] = AESNextRoundKey (RK[i-1])  STATE =AESENCRYPTRound (STATE, RK[i]) End RK [10] = AESNextRoundKey (RK[9])STATE = AESENCRYPTLastRound (STATE, RK[10])

In this example, the round key for the round is generated prior toperforming encryption using the round key for each of the 10 rounds inthe key schedule (expanded key), that is, rounds 1-9 and round 10 (thelast round).

The set of aes instructions that include single aes round instructionsand single aes round key generation instructions allows variants of AESwith different number of rounds and key schedules, that is, variants ofAES not defined by FIPS Publication 197. Thus, the single round aesinstructions in the aes instruction set provide flexibility inperforming aes encryption and decryption.

As the number of rounds performed by the aes instruction set is notfixed, any numbers of rounds, if required, may be performed. Forexample, the number of rounds may be varied to support futureencryption/decryption standards if new standards for hashing or MAC-ingattacks, or attacks on AES are introduced.

FIG. 4 is a flow graph illustrating the flow of an aes encrypt roundinstruction through the execution unit 210 shown in FIG. 3.

At block 400, the execution unit 210 waits for an aes encrypt roundinstruction. If an AES encrypt round instruction has been decoded by thefetch and decode unit 206, processing continues with block 402. If not,processing remains in block 400 waiting for an aes encrypt roundinstruction.

At block 402, during the instruction decode by the fetch and decode unit206, an indication that encryption is to be performed is stored in thecontrol logic 322 and the round key and 128-bit block state (source) foruse in performing the encryption round are loaded into the executionunit 210 from the register file 304. Processing continues with block404.

At block 404, a substitution operation is performed on the 128-bit blockstate that is, the result from block 406 or 418. Each byte of the128-bit block state is substituted with another byte value that can bestored and retrieved from a lookup table also referred to as asubstitution box or “S-Box”. The S-box takes some number of input bits,m, and transforms them into some number of output bits, n and istypically implemented as a lookup table. The result is stored as a128-bit block state. Processing continues with block 406.

At block 406, the 128-bit block state (4×4 array) passes through abit-linear transform in which bytes in each row of the 4×4 array areshifted cyclically to the left. The number of places each byte isshifted differs for each row in the 4×4 array. Processing continues withblock 408.

At block 408, the 128-bit block state (4×4 array) passes through abit-linear transform in which each column of the 4×4 array (state) istreated as a polynomial over GF(2⁸) and is then multiplied modulo x⁴+1with a fixed polynomial c(x)=3x³+x²+x+2. Processing continues with block410.

At block 410, an exclusive OR function is performed on the round keyfrom the expanded key and the result of Shift Rows 318 or Mix Columns320 for the aes round. Processing continues with block 412.

At block 412, the result of the encryption operation for the round(128-bit block state) is stored in the source/destination register 302in the register file 304. Processing for the aes encrypt instruction iscomplete.

Table 4 below shows an example of the result of performing AES-128encryption using a 128-bit key on a 128-bit block input after executionof the pseudo code shown in Table 3.

TABLE 4 128-bit Input: 00112233445566778899aabbccddeeff (Hexadecimal)128-bit Key: 000102030405060708090a0b0c0d0e0f (Hexadecimal) 128-bitResult: 69c4e0d86a7b0430d8cdb78070b4c55a (Hexadecimal)

FIG. 5 is a flow graph illustrating the flow of an aes encrypt lastround instruction through the execution unit 210 shown in FIG. 3.

At block 500, the execution waits for an aes encrypt last roundinstruction. If an AES encrypt last round instruction has been decodedby the fetch and decode unit 206, processing continues with block 502.If not, processing remains in block 500 waiting for an aes instruction.

At block 502, an S-box lookup is performed for the last round in asimilar manner to the S-box lookup discussed in conjunction with block404 (FIG. 4). Processing continues with block 504.

At block 504, a shift rows operation is performed for the last round ina similar manner to that discussed in conjunction with the other roundsin block 406 (FIG. 4). Processing continues with block 506.

At block 506, an exclusive OR function is performed on the round keyfrom the expanded key and the result of Shift Rows 318 or Mix Columns320 for the aes round. Processing continues with block 508.

At block 508, the result of the encryption last round operation isstored in the source/destination register 306 in the register file 304.Processing for the aes instruction is complete.

FIG. 6 is a flow graph illustrating the flow of an aes decrypt roundinstruction through the execution unit 210 shown in FIG. 3.

At block 600, the execution waits for an aes decrypt round instruction.If an AES decrypt round instruction has been decoded by the fetch anddecode unit 206, processing continues with block 602. If not, processingremains in block 600 waiting for an aes decrypt round instruction.

At block 602, during the instruction decode by the fetch and decode unit206, an indication that a decrypt round is to be performed is stored inthe control logic 322 and the round key and source (128-bit block state)for use in performing the decrypt round are loaded into the executionunit 210 from the register file 304. Processing continues with block604.

At block 604, the operation to be performed is decryption. Asubstitution operation is performed on the 128-bit block state byperforming an inverse s-box lookup as defined by the AES standard.Processing continues with block 606.

At block 606, an inverse shift rows operation is performed as defined byFIPS publication 197. Processing continues with block 608.

At block 608, an inverse shift rows operation is performed as defined byFIPS publication 197. Processing continues with block 610.

At block 610, an exclusive OR function is performed on the round keyfrom the expanded key and the result of Shift Rows 318 or Mix Columns320 for the aes round. Processing continues with block 612.

At block 612, the result of the decryption operation for the round(128-bit block state) is stored in the source/destination register 302in the register file 304. Processing for the aes decrypt roundinstruction is complete.

FIG. 7 is a flow graph illustrating the flow of an aes decrypt lastround instruction through the execution unit 210 shown in FIG. 3.

At block 700, the execution unit 210 waits for an aes decrypt last roundinstruction. If an AES decrypt last round instruction has been decodedby the fetch and decode unit 206, processing continues with block 702.If not, processing remains in block 700 waiting for an aes decrypt lastround instruction.

At block 702, a substitution operation is performed on the 128-bit blockstate for the last round by performing an inverse s-box lookup asdefined by FIPS publication 197. Processing continues with block 704.

At block 704, an inverse shift rows operation is performed for the lastround as defined by FIPS publication 197. Processing continues withblock 706.

At block 706, an exclusive OR function is performed on the round keyfrom the expanded key and the result of Shift Rows 318 or Mix Columns320 for the aes round. Processing continues with block 708.

At block 708, the result of the decrypt last round operation is storedin the source/destination register 306 in the register file 304.Processing for the aes decrypt last round instruction is complete.

In one embodiment, the blocks in the flowgraphs of FIGS. 4-7 may beimplemented as a hardware state machine sequence in the execution unit210. In another embodiment portions of the blocks may be implemented asa micro-program that may be stored in Read Only Memory (ROM) 214. Theembodiment in which the blocks are implemented as a hardware statemachine sequence may provide higher performance.

FIG. 8 illustrates an embodiment of an aes round instruction withimmediate byte that may be used to generate round keys and performencryption and decryption. Instead of the aes instruction set shown inTable 1, a single aes round instruction is provided to perform thefunctions of the aes instruction set. The particular function to beperformed by the single aes instruction is encoded in bits in theimmediate byte (key_select_modifier). The immediate byte allows the aesround instruction to be expanded to add new features instead of creatinga plurality of new instructions with each instruction having a uniqueoperation code.

The aes round instruction may be defined symbolically as follows:

dest:=aes_key_round(source2,source1),key_select_modifier

The aes_key_round instruction is issued to a particular execution unit210 based on port number in order to perform an AES encrypt or decryptoperation. In the embodiment shown, port number 4 is the designatedexecution port for the AES round instruction. The execution unit 210 isdivided into many parallel ports (super-scalar). However, not all portsare equal. Some ports have specialized resources such as a large integermultiplier, or floating-point multiplier or divider. Simpler and morecommon instructions such as addition, subtraction and exclusive OR aresupported on multiple ports for maximum performance. Thus for eachinstruction or micro-operation, issue control logic determines the portto which to issue the micro-operation/instruction. In this embodiment,the aes instruction is always issued to port number 4. However, in otherembodiments other port numbers may be used.

Referring to FIG. 8, the dest stores 128 bits of expanded key for roundN, source2 stores 128 bits of expanded key for round N-1, and source1stores 128 bits of expanded key for round N-2. The key_select_modifieris an 8-bit immediate value used to provide current round number (N),direction of operation (encrypt/decrypt) and AES key size. For AES-128,source1 is not needed and is ignored. The execution unit is AES unit andno flags (integer or floating point) are used.

In one embodiment, the bit encoding of the four least significant bitsof the immediate value indicate the round number, for example, a roundnumber from 1-10 for AES-128, a round number from 1-12 for AES-192 and around number from 2-14 for AES 256. For AES-128 and 192 round number 0is not valid because the first round uses the unmodified input key. ForAES-256 round numbers 0 and 1 are not valid as the unmodified 256-bitinput key is used for the first 2 128-bit rounds.

Bit 4 of the immediate byte indicates the direction of operation(encryption or decryption), for example, in one embodiment 0=encrypt,and 1=decrypt and in another embodiment 1=encrypt, and 0=decrypt. Bits 5and 6 of the immediate byte indicate the AES key size. In one embodimentthe AES key size is defined as shown in Table 5 below:

TABLE 5 Bits[6:5] Key Size 00 128 01 192 10 256 11 Reserved

In another embodiment, bits [6:5] having a value of 11 is also anindicator for a 128-bit key size. In this embodiment, all values of bits[6:5] are valid and may be parsed.

It will be apparent to those of ordinary skill in the art that methodsinvolved in embodiments of the present invention may be embodied in acomputer program product that includes a computer usable medium. Forexample, such a computer usable medium may consist of a read only memorydevice, such as a Compact Disk Read Only Memory (CD ROM) disk orconventional ROM devices, or a computer diskette, having a computerreadable program code stored thereon.

While embodiments of the invention have been particularly shown anddescribed with references to embodiments thereof, it will be understoodby those skilled in the art that various changes in form and details maybe made therein without departing from the scope of embodiments of theinvention encompassed by the appended claims.

1. A system comprising: a processor comprising: a plurality of cores; alevel 1 (L1) instruction cache to store a plurality of instructions, theplurality of instructions to include a first Advanced EncryptionStandard (AES) instruction; an L1 data cache; instruction fetch logic tofetch instructions from the L1 instruction cache; decode logic to decodeinstructions; a first source register to store a round key to be usedfor a round of an AES encryption operation; a second source register tostore input data to be encrypted by the round of the AES encryptionoperation; an execution unit including AES execution logic to executethe first AES instruction to perform the round of the AES encryptionoperation, the AES encryption operation to use the round key from thefirst source register to encrypt input data from the second sourceregister and to store a result of the round of the AES encryptionoperation in a destination register; wherein the round of the AESencryption operation is to include: a Sub Bytes transform to perform abyte substitution on the input data, the Sub Bytes transform to use asubstitution box (S-box) to result in a first array of substituted data,a Shift Rows transform to shift row data in the first array by aspecified amount to result in a second array, a Mix Columns transform inwhich columns of the second array are to be treated as polynomials overa Galois Field GF(28) and multiplied modulo x4+1 with a fixed polynomialto generate a mix columns result, and an Add Round Key transform inwhich an exclusive OR function is to use data from the round key and themix columns result; a memory controller to couple the processor to adynamic random access memory (DRAM); and an input/output (I/O)controller to couple the processor to one or more devices.
 2. The systemof claim 1, wherein the memory controller is a graphics memorycontroller.
 3. The system of claim 1, wherein the I/O controller is astorage I/O controller.
 4. The system of claim 1, the one or moredevices to include one or more storage devices.
 5. The system of claim4, wherein at least one of the one or more storage devices is to becoupled to the processor over at least one Serial Attached SmallComputer System Interface (SAS).
 6. The system of claim 4, wherein theone or more storage devices are to be arranged as a Redundant Array ofIndependent Disks (RAID).
 7. The system of claim 1, the one of moredevices to include at least one disk drive.
 8. The system of claim 1,the one or more devices to include at least one Digital Video Disk (DVD)drive.
 9. The system of claim 1, the one or more devices to include atleast one network interface.
 10. The system of claim 9, wherein the atleast one network interface is to be coupled to the processor to processdata packets.
 11. The system of claim 1, the one or more devices toinclude at least one network interface controller (NIC).
 12. The systemof claim 11, wherein the NIC is to be coupled to the processor toprocess data packets
 13. The system of claim 1, the one or more devicesto include a one or more storage devices and at least one networkinterface.
 14. The system of claim 13, wherein at least one of the oneor more storage devices is to be coupled to the processor over at leastone Serial Attached Small Computer System Interface (SAS).
 15. Thesystem of claim 13, wherein the one or more storage devices are to bearranged as a Redundant Array of Independent Disks (RAID).
 16. Thesystem of claim 1, wherein the DRAM is Synchronized Dynamic RandomAccess Memory (SDRAM).
 17. The system of claim 1, wherein the DRAM isDouble Data Rate (DDR) Random Access Memory.
 18. The system of claim 1,wherein the DRAM is Double Data Rate 2 (DDR2) Random Access Memory. 19.The system of claim 1, wherein the DRAM is Rambus Dynamic Random AccessMemory (RDRAM).
 20. The system of claim 1, wherein the one or moredevices is to include at least one storage device and the DRAM is DoubleData Rate (DDR) Random Access Memory.